Companies may have reached a positive turning point when it comes to managing their vendor risks, according to the annual Vendor Risk Management Benchmark Study, published by the Shared Assessments Program and Protiviti. The study found that organizations across all industries, and, in particular, financial services, are increasing their focus on managing vendor and third-party risks. The maturity levels associated with different vendor risk management program areas have improved noticeably.
In its third year, the Vendor Risk Management Benchmark Study examined information from nearly 400 C-suite executives, risk management and audit professionals, who rated their public and private organizations using the Shared Assessments Program's Vendor Risk Management Maturity Model (VRMMM) – a holistic benchmarking tool for evaluating the quality and maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The surveyed organizations represent a mix of industries, with the largest contingent in financial services.
Key survey findings for 2016 include:
- A clear correlation between boards with high engagement in and understanding of cybersecurity risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
- While many boards (39 percent) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26 percent) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors' level, third-party risk management awareness levels are still lagging.
- Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third-party risk programs with all recommended compliance measures in place.
- A narrowing of the maturity gap between financial services and all other verticals can be seen, which is probably a result of increased regulatory pressure in sectors that include insurance and health care.